Merge pull request #228 from ekohl/fix-syntax

Fix syntax in pem_cert.pp and correctly pass in a flat array

Author: ekohl

lib/puppet/provider/x509_cert/openssl.rb

@@ -68,14 +68,14 @@ def create
         '-out', resource[:path]
       ]
       if resource[:ca]
-        options << ['-extfile', resource[:template]]
-        options << ['-CAcreateserial']
-        options << ['-CA', resource[:ca]]
-        options << ['-CAkey', resource[:cakey]]
+        options += ['-extfile', resource[:template]]
+        options += ['-CAcreateserial']
+        options += ['-CA', resource[:ca]]
+        options += ['-CAkey', resource[:cakey]]
       else
-        options << ['-signkey', resource[:private_key]]
+        options += ['-signkey', resource[:private_key]]
         if resource[:req_ext]
-          options << [
+          options += [
             '-extensions', 'v3_req',
             '-extfile', resource[:template]
           ]
@@ -95,11 +95,14 @@ def create
     password = resource[:cakey_password] || resource[:password]
 
     if password
-      options << ['-passin', 'env:CERTIFICATE_PASSIN']
+      options += ['-passin', 'env:CERTIFICATE_PASSIN']
       env['CERTIFICATE_PASSIN'] = password
     end
-    options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
-    openssl options, environment: env
+    options += ['-extensions', 'v3_req'] if resource[:req_ext] != :false
+
+    # openssl(options) doesn't work because it's impossible to pass an env
+    # https://github.com/puppetlabs/puppet/issues/9493
+    execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
   end
 
   def destroy

lib/puppet/provider/x509_request/openssl.rb

@@ -37,12 +37,14 @@ def create
     ]
 
     if resource[:password]
-      options << ['-passin', 'env:CERTIFICATE_PASSIN']
+      options += ['-passin', 'env:CERTIFICATE_PASSIN']
       env['CERTIFICATE_PASSIN'] = resource[:password]
     end
-    options << ['-nodes'] unless resource[:encrypted]
+    options << '-nodes' unless resource[:encrypted]
 
-    openssl options, environment: env
+    # openssl(options) doesn't work because it's impossible to pass an env
+    # https://github.com/puppetlabs/puppet/issues/9493
+    execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
   end
 
   def destroy

manifests/export/pem_cert.pp

@@ -66,7 +66,7 @@
 
     exec { "Export ${in_cert} to ${pem_cert}":
       command     => $cmd,
-      environment => $passin_env
+      environment => $passin_env,
       path        => $facts['path'],
       *           => $exec_params,
     }

spec/unit/puppet/provider/x509_cert/openssl_spec.rb

@@ -5,7 +5,6 @@
 require 'pathname'
 require 'puppet/type/x509_cert'
 
-provider_class = Puppet::Type.type(:x509_cert).provider(:openssl)
 describe 'The openssl provider for the x509_cert type' do
   let(:path) { '/tmp/foo.crt' }
   let(:pathname) { Pathname.new(path) }
@@ -31,33 +30,49 @@
     end
 
     it 'creates a certificate with the proper options' do
-      expect(provider_class).to receive(:openssl).with([
-                                                         'req',
-                                                         '-config', '/tmp/foo.cnf',
-                                                         '-new',
-                                                         '-x509',
-                                                         '-days', 3650,
-                                                         '-key', '/tmp/foo.key',
-                                                         '-out', '/tmp/foo.crt',
-                                                         ['-extensions', 'v3_req']
-                                                       ])
+      expect(resource.provider).to receive(:execute).with(
+        [
+          '/usr/bin/openssl',
+          'req',
+          '-config', '/tmp/foo.cnf',
+          '-new',
+          '-x509',
+          '-days', 3650,
+          '-key', '/tmp/foo.key',
+          '-out', '/tmp/foo.crt',
+          '-extensions', 'v3_req',
+        ],
+        {
+          combine: true,
+          custom_environment: {},
+          failonfail: true,
+        }
+      )
       resource.provider.create
     end
 
     context 'when using password' do
       it 'creates a certificate with the proper options' do
         resource[:password] = '2x6${'
-        expect(provider_class).to receive(:openssl).with([
-                                                           'req',
-                                                           '-config', '/tmp/foo.cnf',
-                                                           '-new',
-                                                           '-x509',
-                                                           '-days', 3650,
-                                                           '-key', '/tmp/foo.key',
-                                                           '-out', '/tmp/foo.crt',
-                                                           ['-passin', 'pass:2x6${'],
-                                                           ['-extensions', 'v3_req']
-                                                         ])
+        expect(resource.provider).to receive(:execute).with(
+          [
+            '/usr/bin/openssl',
+            'req',
+            '-config', '/tmp/foo.cnf',
+            '-new',
+            '-x509',
+            '-days', 3650,
+            '-key', '/tmp/foo.key',
+            '-out', '/tmp/foo.crt',
+            '-passin', 'env:CERTIFICATE_PASSIN',
+            '-extensions', 'v3_req',
+          ],
+          {
+            combine: true,
+            custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' },
+            failonfail: true,
+          }
+        )
         resource.provider.create
       end
     end
@@ -68,18 +83,26 @@
       resource[:csr] = '/tmp/foo.csr'
       resource[:ca]  = '/tmp/foo-ca.crt'
       resource[:cakey] = '/tmp/foo-ca.key'
-      expect(provider_class).to receive(:openssl).with([
-                                                         'x509',
-                                                         '-req',
-                                                         '-days', 3650,
-                                                         '-in', '/tmp/foo.csr',
-                                                         '-out', '/tmp/foo.crt',
-                                                         ['-extfile', '/tmp/foo.cnf'],
-                                                         ['-CAcreateserial'],
-                                                         ['-CA', '/tmp/foo-ca.crt'],
-                                                         ['-CAkey', '/tmp/foo-ca.key'],
-                                                         ['-extensions', 'v3_req']
-                                                       ])
+      expect(resource.provider).to receive(:execute).with(
+        [
+          '/usr/bin/openssl',
+          'x509',
+          '-req',
+          '-days', 3650,
+          '-in', '/tmp/foo.csr',
+          '-out', '/tmp/foo.crt',
+          '-extfile', '/tmp/foo.cnf',
+          '-CAcreateserial',
+          '-CA', '/tmp/foo-ca.crt',
+          '-CAkey', '/tmp/foo-ca.key',
+          '-extensions', 'v3_req',
+        ],
+        {
+          combine: true,
+          custom_environment: {},
+          failonfail: true,
+        }
+      )
       resource.provider.create
     end
   end
@@ -90,19 +113,27 @@
       resource[:ca]  = '/tmp/foo-ca.crt'
       resource[:cakey] = '/tmp/foo-ca.key'
       resource[:cakey_password] = '5i;6%'
-      expect(provider_class).to receive(:openssl).with([
-                                                         'x509',
-                                                         '-req',
-                                                         '-days', 3650,
-                                                         '-in', '/tmp/foo.csr',
-                                                         '-out', '/tmp/foo.crt',
-                                                         ['-extfile', '/tmp/foo.cnf'],
-                                                         ['-CAcreateserial'],
-                                                         ['-CA', '/tmp/foo-ca.crt'],
-                                                         ['-CAkey', '/tmp/foo-ca.key'],
-                                                         ['-passin', 'pass:5i;6%'],
-                                                         ['-extensions', 'v3_req']
-                                                       ])
+      expect(resource.provider).to receive(:execute).with(
+        [
+          '/usr/bin/openssl',
+          'x509',
+          '-req',
+          '-days', 3650,
+          '-in', '/tmp/foo.csr',
+          '-out', '/tmp/foo.crt',
+          '-extfile', '/tmp/foo.cnf',
+          '-CAcreateserial',
+          '-CA', '/tmp/foo-ca.crt',
+          '-CAkey', '/tmp/foo-ca.key',
+          '-passin', 'env:CERTIFICATE_PASSIN',
+          '-extensions', 'v3_req',
+        ],
+        {
+          combine: true,
+          custom_environment: { 'CERTIFICATE_PASSIN' => '5i;6%' },
+          failonfail: true,
+        }
+      )
       resource.provider.create
     end
   end

spec/unit/puppet/provider/x509_request/openssl_spec.rb

@@ -4,7 +4,6 @@
 require 'pathname'
 require 'puppet/type/x509_request'
 
-provider_class = Puppet::Type.type(:x509_request).provider(:openssl)
 describe 'The openssl provider for the x509_request type' do
   let(:path) { '/tmp/foo.csr' }
   let(:pathname) { Pathname.new(path) }
@@ -27,26 +26,42 @@
     end
 
     it 'creates a certificate with the proper options' do
-      expect(provider_class).to receive(:openssl).with([
-                                                         'req', '-new',
-                                                         '-key', '/tmp/foo.key',
-                                                         '-config', '/tmp/foo.cnf',
-                                                         '-out', '/tmp/foo.csr'
-                                                       ])
+      expect(resource.provider).to receive(:execute).with(
+        [
+          '/usr/bin/openssl',
+          'req', '-new',
+          '-key', '/tmp/foo.key',
+          '-config', '/tmp/foo.cnf',
+          '-out', '/tmp/foo.csr'
+        ],
+        {
+          combine: true,
+          custom_environment: {},
+          failonfail: true,
+        }
+      )
       resource.provider.create
     end
   end
 
   context 'when using password' do
     it 'creates a certificate with the proper options' do
       resource[:password] = '2x6${'
-      expect(provider_class).to receive(:openssl).with([
-                                                         'req', '-new',
-                                                         '-key', '/tmp/foo.key',
-                                                         '-config', '/tmp/foo.cnf',
-                                                         '-out', '/tmp/foo.csr',
-                                                         ['-passin', 'pass:2x6${']
-                                                       ])
+      expect(resource.provider).to receive(:execute).with(
+        [
+          '/usr/bin/openssl',
+          'req', '-new',
+          '-key', '/tmp/foo.key',
+          '-config', '/tmp/foo.cnf',
+          '-out', '/tmp/foo.csr',
+          '-passin', 'env:CERTIFICATE_PASSIN',
+        ],
+        {
+          combine: true,
+          custom_environment: { 'CERTIFICATE_PASSIN' => '2x6${' },
+          failonfail: true,
+        }
+      )
       resource.provider.create
     end
   end